CVE-2022-21648
Last modified
CVE-2022-21648 is a medium-severity vulnerability rated 6.1/10 on the CVSS scale. Latte is an open source template engine for PHP. Versions since 2.8.0 Latte has included a template sandbox and in affected versions it has been found that a sandbox escape exists allowing for injection into web pages generated from Latte. EPSS estimates a 0.82% chance of exploitation in the next 30 days.
Description
Latte is an open source template engine for PHP. Versions since 2.8.0 Latte has included a template sandbox and in affected versions it has been found that a sandbox escape exists allowing for injection into web pages generated from Latte. This may lead to XSS attacks. The issue is fixed in the versions 2.8.8, 2.9.6 and 2.10.8. Users unable to upgrade should not accept template input from untrusted sources.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Nette | Latte | >= 2.8.0, < 2.8.8 |
| Nette | Latte | >= 2.9.0, < 2.9.6 |
| Nette | Latte | >= 2.10.0, < 2.10.8 |
References
- https://github.com/nette/latte/commit/9e1b4f7d70f7a9c3fa6753ffa7d7e450a3d4abb0Patch, Third Party Advisory
- https://github.com/nette/latte/security/advisories/GHSA-36m2-8rhx-f36jThird Party Advisory
- https://github.com/nette/latte/commit/9e1b4f7d70f7a9c3fa6753ffa7d7e450a3d4abb0Patch, Third Party Advisory
- https://github.com/nette/latte/security/advisories/GHSA-36m2-8rhx-f36jThird Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2022-21648?
How severe is CVE-2022-21648?
How do I fix CVE-2022-21648?
Are you affected by CVE-2022-21648?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST